DNSO Archives: [nc-impwhois]

ICANN/DNSO DNSO Mailling lists archives

[nc-impwhois]

<<< Chronological Index >>> <<< Thread Index >>>

[nc-impwhois] WHOIS Implementation Com. teleconf. minutes Jan. 16, text version

To: <nc-impwhois@dnso.org>
Subject: [nc-impwhois] WHOIS Implementation Com. teleconf. minutes Jan. 16, text version
From: "DNSO SECRETARIAT" <DNSO.SECRETARIAT@dnso.org>
Date: Thu, 23 Jan 2003 12:52:29 +0100
Importance: Normal
Reply-To: <DNSO.SECRETARIAT@dnso.org>
Sender: owner-nc-impwhois@dnso.org

[To: nc-impwhois@dnso.org]

Please find attached the minutes of the WHOIS Implementation Committee
teleconference held on January 16, 2003.
Text version will follow.

GNSO Secretariat

Title: notes/20021114.NCteleconf-agenda.html

ICANN/DNSO

GNSO Council WHOIS Implementation CommitteeTeleconference on 16 January 2003 - minutes

http://www.dnso.org/dnso/mp3/20030115.NCWhoisTF-teleconf.mp3

Attendees:
Registrar - Bruce Tonkin
Registrar - Ken Stubbs
Registrar - Donna McGehee
Registrar - Elana Broitman
Registrar - Rick Wesson
Registrar - Tim Ruiz
Registrar - Margie Milam
Registrar - Steve Miholovich
WHOIS Task Force member - Steve Metalitz
WHOIS Task Force co-chair - Marilyn Cade
WHOIS Task Force member - Thomas Roessler

Secretariat

The aim of the call: To discuss the input received on the mailing list from each member of the committee on implementation issues associated with each recommendation.
The archives with comments can be found at:
http://www.dnso.org/clubpublic/nc-impwhois/Arc00/

- Reference documents
http://www.dnso.org/dnso/notes/20030110.NCWhoisTF-accuracy.html http://www.dnso.org/dnso/notes/20030110.NCWhoisTF-bulkaccess.html

Bruce Tonkin suggested going through the Registries and Registrars to give an open summary of the major issues in implementing the WHOIS task force recommendations referring to:

WHOIS Task Force Recommendations on Accuracy related to Registrar Obligations
11. Registrars must require Registrants to review and validate all WHOIS data upon renewal of a registration. (Effectively an extension of RAA clause 3.7.7.1 above) The specifics of required validation remain to be determined by this Task Force or another appropriate body.
12 When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should not be included in the zone file until accurate and verified contact information is available. The details of this procedure are under investigation in the Names Council's deletes task force.
13 (derived from recommendation 6 above) When registrars send inquiries to registrants regarding the accuracy of data under clause 3.7.8 of the RRA, they should require not only that registrants respond to inquiries within 15 days but that the response be accompanied by documentary proof of the accuracy of the "corrected" data submitted, and that a response lacking such documentation may be treated as a failure to respond.

(B) WHOIS Task Force Recommendations on bulk access related to Registrar Obligations
1. Registrars modify their bulk WHOIS access agreements to eliminate the use of data for marketing purposes.
The suggested revised section 3.3.6.3 is:
“Registrar’s access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts.”
The suggested revised section 3.3.6.5 is:
“Registrar's access agreement shall require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.

Donna Mc Gehee referred to documentary proof that had to be provided when there was a complaint about a domain name and what was understood by this?

Ken Stubbs reiterated his concerns on:
- authentication on challenges
- 15 day period which is not practical as it depends on the time of year and times around the world.
Did not want impractical burdens placed on registrars.

Elana Broitman referred to renewals automatically. The registrant may be notified of the renewal but precaution should be taken especially when dealing with valuable marks.

Bruce Tonkin stated that a notice should be sent to the registrant, irrespective of auto renewal to confirm the data. In future a WHOIS field could be implemented to indicate if a registrant has validated the data.
A message should be sent to the registrant to check if the contact is correct, but if there is no reply it would not get deleted.

All the issues on this should be collected and referred back to the WHOIS Task Force for wording that would cope with these issues.

Rick Wesson, taking the Microsoft example, said that if a registrar was presented with a challenge he should be able to check if the data is valid.
Bruce Tonkin added that if a complaint comes through and the data is correct, the 15 days should not apply.

Both Rick Wesson and Ken Stubbs that the registrar should be able to check without the registrant having to go through the process, while Bruce Tonkin felt that when the complaint looks frivolous, nothing should be done.

Margie Milam felt that the 15 day period was too short as a contact method could take longer. Bruce Tonkin: The 15 day period is in the existing agreement and also relates to the implementation. It should be extended to 30 days, which would require a policy change, if the registrar chooses to use postal mail to communicate with the registrant.

Steve Metalitz, from the task force, mentioned that ICANN should be requested to collect support data over 6 months to establish if there are problems.
He clarified that where there was a response after 15 days and there were problems with the domain name and the registrar:
- failure to renew can or cannot be a breach of the Registrars Accreditation Agreement (RAA)
- failure to give accurate data is a breach of the RAA.

With regard to renewals, most renewal processes took longer than 15 days. With autorenewals the assumption is that the information is correct. It is sufficient for the registrar to remind the registrant that it is their responsibility, and a non response would be accepted as adequate, but if there is a complaint, the situation is different.

Steve metalitz noted that autorenewals had not been discussed in the task force. The WHOIS record is that data is not verified at the time of the renewal.
Margie Milam pointed out the difference between marketing purposes and marketing activities

"Marketing activities" could be defined as any communication, regardless of the medium, initiated for the purpose of advertising the commercial availability or quality of any property, goods or services, but such term does not include a communication
(A) to any person with that person's prior express invitation or permission,
(B) to any person with whom the party has an established business relationship, or
(C) by a tax exempt non-profit organization.
The suggested revision adopts a new term "marketing activities" instead of the "marketing purposes" language that is currently adopted in the ICANN agreement. Query whether this is intentional or whether this committee should refer back to the standard "marketing purposes" language.
Bruce Tonkin noted this would be taken into consideration and to elaborate on the term using the wording in the existing contract.

Bruce Tonkin, speaking for Melbourne IT, made the following comments:
ACCURACY
(1) Transfers Task Force Recommendation (WHOIS update at renewal) "Registrars must require Registrants to review and validate all WHOIS data upon renewal of a registration. (effectively an extension of RAA clause 3.7.7.1 above) The specifics of required validation remain to be determined by this Task Force or another appropriate body."
This is implementable IF:
- the registrar presents the WHOIS data to the registrant at time of renewal (via website, fax, or postal message) = REVIEW - the registrant is required to confirm that the data is still current, or update the information, and warrant that the information is still correct = VALIDATE
It is not feasible for the Registrar to validate the data (e.g make phone calls to registrant, ring post office to confirm address exists etc). A registrar may optionally use various heuristic techniques to do some data validation (e.g check that a USA city existing within a particular USA state) - but such techniques are not applicable uniformly across the globe. In general it is in the registrars best interests to get accurate data as it increases the chance of a successful renewal - so there are commercial incentives here for clever registrars.
Suggested rewording : "Upon renewal of a domain name, a registrar must present to the Registrant the current WHOIS information, and remind the registrant that provision of false WHOIS information can be grounds for cancellation of their domain name registration. Registrants must review their WHOIS data, make any corrections, and warrant that the data is correct to the Registrar."
Steve Metalitz confirmed that it was what the task force had in mind.

Bruce Tonkin went on to:
2) Transfers Task Force recommendation (Redemption Grace Period issue) "When registrations are deleted on the basis of submission of false contact data or non-response to registrar inquiries, the redemption grace period -- once implemented -- should be applied. However, the redeemed domain name should not be included in the zone file until accurate and verified contact information is available. The details of this procedure are under investigation in the Names Council's deletes task force."
The principle is OK. The wording of "accurate and verified" needs to be updated in the context of the recommendation that relates to correction of data following a complaint.
3) Transfers Task Force recommendation (Data correction following a complaint) "When registrars send inquiries to registrants regarding the accuracy of data under clause 3.7.8 of the RRA, they should require not only that registrants respond to inquiries within 15 days but that the response be accompanied by documentary proof of the accuracy of the "corrected" data submitted, and that a response lacking such documentation may be treated as a failure to respond."
This recommendation is not implementable in its current form.
Implementation of this will depend on the business model of the individual registrar and the level of service/price paid for the domain name. In terms of requiring documentary proof - other than just storing the documentary proof - registrars are not authentication agencies.
Registrar and Authentication agent need to be separated.
The recommendation needs to identify a cost effective minimum implementation.
There are two components:
- contact of the registrant
- correction of information

Contacting the registrant is a common problem for registrars at the time of renewal, and various methods are used. Most registrars use a final step of placing the name in REGISTRAR HOLD status (the name is locked and removed from the zonefile).

Suggested minimum implementation:
In response to a complaint about WHOIS data:
First phase: CONTACT phase
- registrar sends an email to all contact points available in the WHOIS (e.g registrant, admin, technical and billing) to request the information be corrected - if no response is received after 15 days the name should be placed in REGISTRAR-HOLD status (or equivalent)
- the registrar can continue to try to contact the registrant using various other means, but normally the registrant of an active name will contact the registrar themselves
- the name would remain in REGISTRAR-HOLD status until the contact information is updated, or the name is deleted from the registry for lack of renewal
- this protects the registrant from any attempts at domain name hijacking, and also protects the community from any unsatisfactory practices resulting from the use of the domainname for a website or email
Second phase: CORRECTION
- registrar must present to the Registrant the current WHOIS information, and remind the registrant that provision of false WHOIS information can be grounds for cancellation of their domain name registration. Registrants must review their WHOIS data, make any corrections, and warrant that the data is correct to the Registrar.
- if within 60 days of updating the information, an independent authenticating party provides confirmation (a list of accredited authenticating parties to be defined, and a mechanism for them to securely communicate with registrars electronically) that the contact information is still incorrect
- then the name will be placed on REGISTRAR-HOLD (or equivalent) until that authenticating party certifies that the information is correct.
The cost of the authenticating party would be borne by the complainant. This clearly separates the registrar role of data collection and not authentication.
- ICANN will need to accredit authentication parties in the same way that UDRP providers are accredited.
- The data accuracy complainant will need to pay the costs of the authenticating party verifying that the contact information is incorrect.
- The Registrant will need to pay the costs of an authenticating party to verify the corrected information. Could be a different authenticating party to the one used by the data accuracy complainant.
- a Registrar will be entitled to charge for the costs of updating WHOIS information via an accredited authentication agency (as their is likely to be manual processes involved).

Bruce Tonkin, speaking on behalf of Melbourne IT, suggested the following rewording of this recommendation:
"(a) Upon receiving a complaint about WHOIS accuracy, a registrar must at a minimum send an email to all contact points available in the WHOIS (including registrant, admin, technical and billing) requesting the WHOIS contact information be updated. If no response is received after 15 days a Registrar must place a name in REGISTRAR-HOLD (or equivalent) status, until the registrant has updated the WHOIS information. If a registrar uses postal means to communicate with the registrant, then the 15 days is extended to 30 days before the name is placed in REGISTRAR-HOLD status.
(b) Once contact is established, the registrar must present to the Registrant the current WHOIS information, and remind the registrant that provision of false WHOIS information can be grounds for cancellation of their domain name registration. Registrants must review their WHOIS data, make any corrections, and warrant that the data is correct to the Registrar.
(c) If within 60 days of the contact information being updated, an accredited authentication agency informs the Registrar that the data is incorrect, then the name will be placed in REGISTRAR-HOLD status until the registrant provides contact information that has been verified by an accredited authentication agency.

In discussion that followed, Thomas Roessler made two points:
1. How does one handle the case when the existing address points to someone else?
2. How does one handle the global coverage of authentication?
Rick Wesson commented that "authentication was used in the Security committee and a more appropriate word would be "validating information" or "verification".
Steve Metalitz quoted the OECD case in adopting the recommendation and stated that there:
- A real person was provided with a real address
- New contact data was submitted which was false
Thus in an ongoing process it would not be suitable.
The registrar should incur the costs because he was under contract to ICANN.
There is a possibility that the complainant procedure may be abused and the registrar should be able to make a decision at face value without contacting the registrant.
Ken Stubbs, echoed by Margie Milam, remarked that there could be an economic impact on the 20 million domains registered, which would make it a costly and cumbersome process.
Marilyn Cade, co-chair of the WHOIS task force, commented that a number of industries undertake validation by taking a subscription, and pointed to a comment made by Rich Wesson that there would be less reliability in an automated system which was an issue.
Steve Metalitz stated that there was no problem with an accredited agent making the decision, to which Bruce Tonkin answered that the registrar contacts the registrant when there has been a complaint and the registrant must provide new correct contact information.
Steve Metalitz asked how expensive it would be and commented that the cost burden falls on a third party complainant, to which Thomas Roessler added that it was strange that there is a contract obligation to a third party.

Bruce Tonkin stated that registrants must provide all contact details contact details and if the contact details are inaccurate, the domain name can be canceled.
Steve Metalitz stated there was no problem with the overall model as a validation process.

Bruce Tonkin undertook to capture the remarks in the report.

Bruce Tonkin thanked all the participants on the call.

Meeting closed at 21:00, UTC January 16, 8:00 Melbourne time January 17.

Next teleconference: Thursday, 23 January 20:00 UTC, Friday 24 January 7:00 Melbourne time.
Dial in number sent to participants individually.
See:
http://www.dnso.org/meetings.html

<<< Chronological Index >>> <<< Thread Index >>>